Abstract
In the petroleum industry, operations are monitored and controlled using Industrial Automation and Control Systems (IACS), also known as Operational Technology (OT). IACS are critical for the operation of the platform and for ensuring a safe operation. As in other industries, digitalization has now introduced Information Technology (IT) to OT components, leading to an increased attack surface. New challenges arise as IACS now are connected to the Internet. Previously, preparedness exercises in the industry have concerned safety-related incidents. Today, digitalization requires the industry to also exercise on security incidents, especially against IACS. There are few guidelines present for this area, and the industry explicitly states a need for more detailed guidelines. We wanted to lessen this shortcoming by investigating descriptions of events to use in exercises, known as scenarios. This project investigated what characterizes a scenario to be realistic and expedient for tabletop exercises on cyber attacks against IACS in the petroleum industry. We have created two lists of criteria that characterize such scenarios. One list characterizes individual scenarios while the other characterizes scenario collections. We also developed a scenario collection with example scenarios for cyber attacks against IACS. When creating this collection, we used the lists of criteria to provide realistic and expedient scenarios. During the project, we used design science as the method. For the different phases, we conducted various activities. Most of the activities used a qualitative approach. To collect data, we conducted interviews with the industry and a literature review. The criteria and the scenario collection were developed based on the collected data and revisited and improved by feedback from the industry. Both the lists and the scenario collection were validated and approved by respondents from two different operator companies. The lists of criteria and the scenario collection can be used as guidelines for the industry on how best to develop and take usage of scenarios in tabletop exercises on cyber attacks against IACS. Using the criteria and example scenarios as guidelines could make it easier for the industry to develop exercises in this area and conduct the preparedness exercises efficiently where a valuable learning outcome is provided. From our results, we want to highlight the importance of basing the scenario on today’s threat landscape and making the scenarios plausible. In addition, we want to highlight the importance of exercising a scenario where a cyber attack causes events that appears to be caused by technical faults.